The designer will ensure the application using PKI validates certificates for expiration, confirms origin is from a DoD authorized CA, and verifies the certificate has not been revoked by CRL or OCSP, and CRL cache (if used) is updated at least daily.

The application should not provide access to users or other entities using expired, revoked or improperly signed certificates because the identity cannot be verified. System AdministratorIATS-1, IATS-2

SV-6130r1_rule

APP3320

MEDIUM

The designer will ensure the application has the capability to require account passwords that conform to DoD policy.

Weak passwords can be guessed or easily cracked using various methods. This can potentially lead to unauthorized access to the application. System AdministratorIAIA-1

SV-6131r1_rule

APP3380

MEDIUM

The designer will ensure the application prevents the creation of duplicate accounts.

Duplicate user accounts can create a situation where multiple users will be mapped to a single account. These duplicate user accounts may cause users to assume other users roles and privilege escalation. If user IDs are not unique and individual, user activity may not be accurately audited and unauthorized activity may not be seen by the audit system. System AdministratorIAIA-1

SV-6132r2_rule

APP6240

LOW

The IAO will ensure all user accounts are disabled which are authorized to have access to the application but have not authenticated within the past 35 days.

Disabling inactive userids ensures access and privilege are available to only those who need it.System AdministratorIAAC-1, IAIA-1

SV-6133r1_rule

APP6250

MEDIUM

The IAO will ensure unnecessary built-in application accounts are disabled.

Default passwords and properties of built-in accounts are often publicly available. Anyone with necessary knowledge, internal or external, can compromise an application using built-in accounts.System AdministratorIAIA-1

SV-6134r1_rule

APP6260

HIGH

The IAO will ensure default passwords are changed.

Default passwords can easily be compromised by attackers allowing immediate access to the applications.System AdministratorIAIA-1

SV-6135r1_rule

APP3210

MEDIUM

The designer will ensure the appropriate cryptography is used to protect stored DoD information if required by the information owner.

Application data needs to be properly protected. Content of application data contains not only operationally sensitive data, but also personal data covered by the privacy act that needs to be protected internally and externally. Classifed data could be compromised if the required level of encryption is not utilized. System AdministratorECCR-2, ECCR-1, ECCR-3

SV-6136r1_rule

APP3250

HIGH

The designer will ensure data transmitted through a commercial or wireless network is protected using an appropriate form of cryptography.

Unapproved cryptographic module algorithms cannot be verified, and cannot be relied upon to provide confidentiality or integrity and DoD data may be compromised due to weak algorithms.If the module is not on the FIPS validated encryption list, this is a CAT III finding.
If there is no module being used, this is a CAT II finding.
System AdministratorECCR-1, DCNR-1, ECCT-1, ECCT-2, ECCR-2

SV-6138r1_rule

APP3680

MEDIUM

The designer will ensure the application design includes audits on all access to need-to-know information and key application events.

Properly logged and monitored audit logs not only assist in combating threats, but also play a key role in diagnosis, forensics, and recovery. System AdministratorECAR-3, ECAR-2, ECAR-1

SV-6139r1_rule

APP3650

LOW

The designer will ensure the application has a capability to notify an administrator when audit logs are nearing capacity as specified in the system documentation.

If an application audit log reaches capacity without warning, it will stop logging important system and security events. It could also open the system up for a type of denial of service attack, if an application halts with a full log.System AdministratorECAT-2

SV-6140r1_rule

APP3690

MEDIUM

The designer and IAO will ensure the audit trail is readable only by the application and auditors and protected against modification and deletion by unauthorized individuals.

Excessive permissions of audit records allow cover up of intrusion or misuse of the application.System AdministratorECTP-1

SV-6141r1_rule

APP3480

HIGH

The designer will ensure access control mechanisms exist to ensure data is accessed and changed only by authorized personnel.

If access control mechanisms are not in place, anonymous users could potentially make unauthorized read and modification requests to the application data which is an immediate loss of the integrity of the data.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
System AdministratorECPA-1, ECLP-1, ECCD-2

SV-6142r1_rule

APP3240

MEDIUM

The designer will ensure all access authorizations to data are revoked prior to initial assignment, allocation or reallocation to an unused state.

DoD data may be compromised if applications do not protect residual data in objects when they are allocated to an unused state. Access authorizations to data should be revoked prior to initial assignment, allocation or reallocation to an unused state because subsequent use of the object could allow access to the residual data.System AdministratorECRC-1

SV-6143r1_rule

APP3500

MEDIUM

The designer will ensure the application executes with no more privileges than necessary for proper operation.

An application with unnecessary access privileges can give an attacker access to the underlying operating system.System AdministratorECLP-1

SV-6144r1_rule

APP3410

MEDIUM

The designer will ensure the application provides a capability to limit the number of logon sessions per user and per application.

If a user account has been compromised, limiting the number of sessions will allow the administrator to detect if the account has been compromised by an indication that the maximum number of sessions has been exceeded. Also, limiting the number of sessions affords an application the ability to prevent resources from becoming overloaded, and prevent a large scale DoS.System AdministratorECLO-1

SV-6145r1_rule

APP2040

MEDIUM

If the application contains classified data, the Program Manager will ensure a Security Classification Guide exists containing data elements and their classification.

Without a classification guide the marking, storage, and output media of classified material can be inadvertently mixed with unclassified material, leading to its possible loss or compromise. Information Assurance OfficerDCSD-1

SV-6146r1_rule

APP3270

HIGH

The designer will ensure the application has the capability to mark sensitive/classified output when required.

Failure to properly mark output could result in a disclosure of sensitive or classified data which is an immediate loss in confidentiality.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
System AdministratorECML-1

SV-6147r1_rule

APP5030

MEDIUM

The Test Manager will ensure the application does not modify data files outside the scope of the application.

Modifying data or files outside the scope of the application could lead to system instability in the event of an application problem. Also, a problem with this application could effect the operation of another application.System AdministratorECRC-1

SV-6148r1_rule

APP3020

MEDIUM

The designer will ensure threat models are documented and reviewed for each application release and updated as required by design and functionality changes or new threats are discovered.

The lack of threat modeling will potentially leave unidentified threats for attackers to utilize to gain access to the application.System AdministratorDCSQ-1

SV-6149r1_rule

APP3050

MEDIUM

The designer will ensure the application does not contain source code that is never invoked during operation, except for software components and libraries from approved third-party products.

Unused libraries increase a program size without any benefits. and may expose an enclave to possible malware. They can be used by a worm as program space, and increase the risk of a buffer overflow attack. As code evaluations are performed, to identify potential vulnerabilities or to identify security enhancements, unused code will not be evaluated and therefore, adds additional unknown risk. System AdministratorDCSQ-1

SV-6150r1_rule

APP3060

MEDIUM

The Designer will ensure the application does not store configuration and control files in the same directory as user data.

Application code and data require two very different security requirements, authentication and authorization (especially in file access). Without proper authentication and authorization there is the potential for existing code to be changed. These changes in code can lead to a Denial of Service (DoS) attack or allow malicious code to be placed within the application. In addition, collocating application data and code complicates many issues such as backup, recovery, directory access privilege, and upgrades.System AdministratorDCPA-1

SV-6151r1_rule

APP6030

MEDIUM

The IAO will ensure unnecessary services are disabled or removed.

Unnecessary services and software increases the security risk by increasing the potential attack surface of the application.System AdministratorDCSD-1

SV-6152r1_rule

APP3440

MEDIUM

The designer will ensure the application is capable of displaying a customizable click-through banner at logon which prevents further activity on the information system unless and until the user executes a positive action to manifest agreement by clicking on a box indicating "OK.”

A logon banner is used to warn users against unauthorized entry and the possibility of legal action for unauthorized users, and advise all users that system use constitutes consent to monitoring, recording, and auditing, and that they have no expectation of privacy. Failure to display a logon warning banner without this type of information could adversely impact the ability to prosecute unauthorized users and users who abuse the system.System AdministratorECWM-1

SV-6153r1_rule

APP3430

HIGH

The designer will ensure the application removes authentication credentials on client computers after a session terminates.

Leaving authentication credentials stored at the client level allows potential access to session information that can be used by subsequent users of a shared workstation and could also be exported and used on other workstation providing immediate unauthorized access to the application.
System AdministratorIAIA-1, IAIA-2

SV-6154r1_rule

APP3470

MEDIUM

The designer will ensure the application is organized by functionality and roles to support the assignment of specific roles to specific application functions.

Without a least privilege policy, a user can gain access to information that he or she is not entitled to and can compromise confidentiality, integrity, and availability of the system. Also, minimizing privileges reduces the risk associated with hijacked accounts. Role based accounts can separate administrative and non-administrative rights in different roles.
System AdministratorECLP-1, ECPA-1

SV-6155r1_rule

APP3420

MEDIUM

The designer will ensure the application provides a capability to terminate a session and log out.

If a user cannot log out of the application, subsequent users of a shared system could continue to use the previous user's session to the application.System AdministratorDCSQ-1

SV-6156r1_rule

APP3350

HIGH

The designer will ensure the application does not contain embedded authentication data.

Authentication data stored in code could potentially be read and used by anonymous users to gain access to a backend database or application server. This could lead to immediate access to a backend server.
System AdministratorIAIA-1, IAIA-2

SV-6157r1_rule

APP3080

MEDIUM

The designer will ensure the application does not contain invalid URL or path references.

Resource information in code can easily advertise available vulnerabilities to unauthorized users. By placing the references into configuration files, the files can be further protected by file permissions and will be separated for ease of updating.System AdministratorDCSQ-1

SV-6158r1_rule

APP3740

MEDIUM

The designer will ensure the application only embeds mobile code in e-mail which does not execute automatically when the user opens the e-mail body or attachment.

The practice of opening e-mails with executable code renders the recipient vulnerable to Internet worms, malicious content, and other threats.System AdministratorDCMC-1

SV-6159r1_rule

APP3700

MEDIUM

The designer will ensure unsigned Category 1A mobile code is not used in the application in accordance with DoD policy.

Use of un-trusted Level 1 and 2 mobile code technologies can introduce security vulnerabilities and malicious code into the client system. System AdministratorDCMC-1

SV-6160r1_rule

APP3720

MEDIUM

The designer will ensure unsigned Category 2 mobile code executing in a constrained environment has no access to local system and network resources.

Mobile code cannot conform to traditional installation and configuration safeguards, therefore, the use of local operating system resources and spawning of network connections introduce harmful and uncertain effects.System AdministratorDCMC-1

SV-6161r1_rule

APP3710

MEDIUM

The designer will ensure signed Category 1A and Category 2 mobile code signature is validated before executing.

Untrusted mobile code may contain malware or malicious code and digital signatures provide a source of the content which is crucial to authentication and trust of the data. System AdministratorDCMC-1

SV-6162r1_rule

APP3730

MEDIUM

The designer will ensure uncategorized or emerging mobile code is not used in applications.

Mobile code does not require any traditional software acceptance testing or security validation. Mobile code needs to follow sound policy to maintain a reasonable level of trust. Mobile code that does not fall into existing policy cannot be trusted.System AdministratorSystems ProgrammerDCMC-1

SV-6163r1_rule

APP3100

MEDIUM

The Designer will ensure the application removes temporary storage of files and cookies when the application is terminated.

If the application does not remove temporary data (e.g., authentication data, temporary files containing sensitive data, etc.) this temporary data could be used to re-authenticate the user or allow unauthorized access to sensitive data.System AdministratorECRC-1

SV-6164r1_rule

APP3510

HIGH

The designer will ensure the application validates all input.

Absence of input validation opens an application to improper manipulation of data. The lack of input validation can lead immediate access of application, denial of service, and corruption of data.
System AdministratorDCSQ-1

SV-6165r2_rule

APP3590

HIGH

The designer will ensure the application does not have buffer overflows, use functions known to be vulnerable to buffer overflows, and does not use signed values for memory allocation where permitted by the programming language.

Buffer overflow attacks occur when improperly validated input is passed to an application overwriting of memory. Usually, buffer overflow errors stop execution of the application causing a minimum of denial of service and possibly a system call to a command shell giving the attacker access to the underlying operating system.System AdministratorDCSQ-1

SV-6166r1_rule

APP3120

MEDIUM

The designer will ensure the application is not subject to error handling vulnerabilities.

Unhandled exceptions leaves users with no means to properly respond to errors. Mishandled exceptions can transmit information that can be used in future security breaches. Properly handled errors allow applications to follow security procedures and guidelines in an informed manner. If too much information is revealed in the error message, it can be used as the basis for an attack.System AdministratorDCSQ-1

SV-6167r1_rule

APP3140

MEDIUM

The designer will ensure application initialization, shutdown, and aborts are designed to keep the application in a secure state.

An application could be compromised, providing an attack vector into the enclave if application initialization, shutdown, and aborts are not designed to keep the application in a secure state.
If an application fails without closing or shutting down processes or open sessions; authentication and validation mechanisms are in doubt. Responsible application development practices must be applied to ensure the failed application is handled gracefully to prevent creation of security risks. System AdministratorDCSS-2

SV-6168r1_rule

APP3300

MEDIUM

The designer will ensure applications requiring server authentication are PK-enabled.

Applications not using PKI are at risk of containing many password vulnerabilities. PKI is the preferred method of authentication.
System AdministratorIATS-2, IATS-1

SV-6169r1_rule

APP2100

MEDIUM

The Program Manager and designer will ensure the application design complies with the DoD Ports and Protocols guidance.

Failure to comply with DoD Ports, Protocols, and Services (PPS) Vulnerability Analysis and associated PPS mitigations may result in compromise of enclave boundary protections and/or functionality of the application.System AdministratorDCPP-1

SV-6170r1_rule

APP2070

LOW

The Program Manager and designer will ensure any IA, or IA enabled, products used by the application are NIAP approved or in the NIAP approval process.

IA or IA enabled products that have not been evaluated by NIAP may degrade the security posture of the enclave, if they do not operate as expected, be configured incorrectly, or have hidden security flaws. System AdministratorDCAS-1

SV-6171r1_rule

APP6160

MEDIUM

The IAO will ensure recovery procedures and technical system features exist so recovery is performed in a secure and verifiable manner.
The IAO will document circumstances inhibiting a trusted recovery.

Without a disaster recovery plan, the application is susceptible to interruption in service due to damage within the processing site.System AdministratorCODP-2, CODP-3, CODP-1

SV-6172r1_rule

APP6190

MEDIUM

The IAO will ensure data backup is performed at required intervals in accordance with DoD policy.

Without proper backups, the application is not protected from the loss of data or the operating environment in the event of hardware or software failure.System AdministratorCODB-1, CODB-3, CODB-2

SV-6173r1_rule

APP6140

MEDIUM

The IAO will ensure application audit trails are retained for at least 1 year for applications without SAMI data, and 5 years for applications including SAMI data.

Log files are a requirement to trace intruder activity or to audit user activity.System AdministratorECRR-1

SV-6174r2_rule

APP6100

MEDIUM

The IAO will ensure production database exports have database administration credentials and sensitive data removed before releasing the export.

Production database exports are often used to populate development databases. Test and development environments do not typically have the same rigid security protections that production environments do. When production data is used in test and development, the production database exports will need to be scrubbed to prevent information like passwords and other sensitive data from becoming available to development and test staff who may not have a need to know. Sensitive data should not be included in database exports because of classification, privacy, and other types of data protection requirement issues. Not all application developers have a need to know sensitive information such as HIPAA data, Privacy Act Data, production admin passwords or classified data.System AdministratorECAN-1

SV-6197r2_rule

APP2010

MEDIUM

The Program Manager will ensure a System Security Plan (SSP) is established to describe the technical, administrative, and procedural IA program and policies governing the DoD information system, and identifying all IA personnel and specific IA requirements and objectives.

If the DAA, IAM, or IAO are not performing assigned functions in accordance with DoD
requirements, it could impact the overall security of the facility, personnel, systems, and data, which
could lead to degraded security. If the DAA and the IAM/IAO are not appointed in writing, there will
be no way to ensure they understand the responsibilities of the position and the appointment
criteria. The lack of a complete System Security Plan (SSP) could lead to ineffective secure
operations and impede accreditation. A System Identification Profile (SIP) and the DIACAP Implementation Plan (DIP) may be considered as sufficient proof of compliance as long as the documentation provides all of the information that is needed to meet the requirement.Information Assurance ManagerDCSD-1

SV-6198r1_rule

APP2160

MEDIUM

The Program Manager and IAO will ensure development systems, build systems, test systems, and all components comply with all appropriate DoD STIGs, NSA guides, and all applicable DoD policies.
The Test Manager will ensure both client and server machines are STIG compliant.

Applications developed on a non STIG compliant platform may not function when deployed to a STIG compliant platform, and therefore cause a potential denial of service to the users and the application, or require lessening security requirements on the client side of the application. System AdministratorDCCS-1, ECSC-1, DCCS-2

SV-7372r1_rule

APP3010

MEDIUM

The designer will create and update the Design Document for each release of the application.

The detailed functional architecture must be documented to ensure all risks are assessed and mitigated to the maximum extent practical. Failure to do so may result in unexposed risk, and failure to mitigate the risk leading to failure or compromise of the system.System AdministratorDCFA-1

SV-17773r1_rule

APP2020

MEDIUM

The Program Manager will provide an Application Configuration Guide to the application hosting
providers to include a list of all potential hosting enclaves and connection rules and requirements.

The security posture of the enclave could be degraded if an Application Configuration Guide is not available and followed by application developers. System AdministratorDCID-1, EBCR-1

SV-17775r1_rule

APP2050

MEDIUM

The Program Manager will ensure the system has been assigned specific MAC and confidentiality levels.

The site security posture and mission completion could be adversely affected if site managed applications and data are not properly assigned with the MAC and confidentiality levels.System AdministratorDCSD-1

SV-17776r1_rule

APP2060

MEDIUM

The Program Manager will ensure the development team follows a set of coding standards.

Implementing coding standards provides many benefits to the development process. These benefits include readability, consistency, and ease of integration.
Code conforming to a standard format is easier to read, especially if someone other than the original developer is examining the code. In addition, formatted code can be debugged and corrected faster than unformatted code.
Introducing coding standards can help increase the consistency, reliability, and security of the application by ensuring common programming structures and tasks are handled by similar methods, as well as, reducing the occurrence of common logic errors.
Coding standards also allow developers to quickly adapt to code which has been developed by various members of a development team. Coding standards are useful in the code review process as well as in situations where a team member leaves and duties must then be assigned to another team member. Coding standards often cover the use of white space characters, variable naming conventions, function naming conventions, and comment styles.
Information Assurance ManagerDCSQ-1

The security posture of the enclave could be compromised if applications are not at the approved NIAP/NSA protection profile. GOTS, or COTS IA and IA enabled IT products, must be in compliance with NIAP/NSA protection profiles in order to protect classified information when the information transits networks which are at a lower classification level than the information being transported.System AdministratorDCSR-2, DCSR-1, DCSR-3

SV-17778r1_rule

APP2090

MEDIUM

The Program Manager will document and obtain DAA risk acceptance for all public domain, shareware, freeware, and other software products/libraries with both (1) no source code to review, repair, and extend, and (2) limited or no warranty, when such products are required for mission accomplishment.

The security posture of the enclave could be compromised if untested or unwarranted software is used due to the risk of software failure, hidden vulnerabilities, or other malware embedded in the application. The Program Manager and IAO must get DAA approval prior to using this type of software for risk acceptance. Public domain software is shareware. There cannot be any assurance the products integrity or security mechanisms exist without conducting a code review or vulnerability analysis. Failure to properly authorize shareware, before it is installed or used, on corporate AISs could result in the compromise of sensitive corporate resources.System AdministratorDCPD-1

SV-17779r1_rule

APP2110

MEDIUM

The Program Manager and designer will ensure the application is registered with the DoD Ports and Protocols Database.

Failure to register the applications usage of ports, protocols, and services with the DoD PPS Database may result in a Denial of Service (DoS) because of enclave boundary protections at other end points within the network.System AdministratorDCPP-1

SV-17780r1_rule

APP2120

MEDIUM

The Program Manager will ensure all levels of program management, designers, developers, and testers receive the appropriate security training pertaining to their job function.

Well trained IT personnel are the first line of defense against attacks or disruptions to the information system. Lack of sufficient training can lead to security oversights thereby, leading to compromise or failure to take necessary actions to prevent disruptions to operations.Information Assurance OfficerPRTN-1

SV-17781r1_rule

APP2130

MEDIUM

The Program Manager will ensure a vulnerability management process is in place to include ensuring a mechanism is in place to notify users, and users are provided with a means of obtaining security updates for the application.

If there is no mechanism (e.g., e-mail list, patch server) to provide updates for an application that is already deployed, security flaws can never be addressed. Also, if there is no comprehensive vulnerability management process or policy for the systematic identification and mitigation of software vulnerabilities, security vulnerabilities may go unnoticed, unreported, or unmitigated. Information Assurance OfficerDCCT-1, VIVM-1

SV-17782r1_rule

APP2140

MEDIUM

The Program Manager will ensure a security incident response process for the application is established that defines reportable incidents and outlines a standard operating procedure for incident response to include Information Operations Condition (INFOCON).

Without a plan, training, and assistance, users will not know what actions needs to be taken in the event of system attack or system/application compromise. This could result in additional compromise and theft, or degraded system capability.System AdministratorVIIR-2, VIIR-1

SV-17783r1_rule

APP2150

MEDIUM

The Program Manager will ensure procedures are implemented to assure physical handling and storage of information is in accordance with the data’s sensitivity.

Failure to have proper workplace security procedures can lead to the loss or compromise of classified or sensitive information.System AdministratorPESP-1

SV-17784r1_rule

APP3070

MEDIUM

The designer will ensure the user interface services are physically or logically separated from data storage and management services.

If user interface services are compromised, this may lead to the compromise of data storage and management services if they are not logically or physically separated.DCPA-1

Session tokens can be compromised by various methods. Using predictable session tokens can allow an attacker to hijack a session in progress. Session sniffing can be used to capture a valid session token or session id, and the attacker uses this session information to gain immediate unauthorized access to the server which is a loss of confidentially and potentially a loss of integrity. Also, the Man-in-the-Middle (MITM) attack can be accomplished over an TLS connection with a session in progress.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
System AdministratorECTM-2

SV-17786r1_rule

APP3110

MEDIUM

The designer will ensure the application installs with unnecessary functionality disabled by default.

If functionality is enabled that is not required for operation of the application, this functionality may be exploited without knowledge because the functionality is not required by anyone.System AdministratorDCSD-1

SV-17787r1_rule

APP3130

HIGH

The designer will ensure the application follows the secure failure design principle.

The secure design principle ensures the application follows a secure predictable path in the application code. If all possible code paths are not accounted for, the application may allow access to unauthorized users. Applications should perform checks on the validity of data, user permissions, and resource existence before performing a function. Secure failure is defined if a check fails for any reason, the application remains in a secure state.
System AdministratorDCSQ-1

SV-17788r1_rule

APP3170

MEDIUM

The designer will ensure the application uses encryption to implement key exchange and authenticate endpoints prior to establishing a communication channel for key exchange.

If the application does not use encryption and authenticate endpoints prior to establishing a communication channel and prior to transmitting encryption keys, these keys may be intercepted, and could be used to decrypt the traffic of the current session, leading to potential loss or compromise of DoD data.System AdministratorDCNR-1

SV-17789r1_rule

APP3180

MEDIUM

The designer will ensure private keys are accessible only to administrative users.

If private keys are accessible to non-administrative users, these users could potentially read and use the private keys to unencrypt stored or transmitted sensitive data used by the application. System AdministratorECCD-1

SV-17790r1_rule

APP3190

MEDIUM

The designer will ensure the application does not connect to a database using administrative credentials or other privileged database accounts.

If the application uses administrative credentials or other privileged database accounts to access the database, an attacker that has already compromised the application though another vulnerability can drop, add, and modify the data in the database or the database structure.System AdministratorECLP-1

SV-17791r1_rule

APP3200

LOW

The designer will ensure transaction based applications implement transaction rollback and transaction journaling.

Transaction based systems must have transaction rollback and transaction journaling, or technical equivalents implemented to ensure the system can recover from an attack or faulty transaction data. Otherwise, a denial of service condition could result. System AdministratorECDC-1

SV-17792r1_rule

APP3220

MEDIUM

The designer will ensure sensitive data held in memory is cryptographically protected when not in use, if required by the information owner, and classified data held in memory is always cryptographically protected when not in use.

Sensitive or classified data in memory must be encrypted to protect data from the possibility of an attacker causing an application crash then analyzing a memory dump of the application for sensitive or classified information.System AdministratorECCR-2, ECCR-1, ECCR-3

SV-17793r1_rule

APP3230

MEDIUM

The designer will ensure the application properly clears or overwrites all memory blocks used to process sensitive data, if required by the information owner, and clears or overwrites all memory blocks used for classified data.

Sensitive and classified data in memory should be cleared or overwritten to protect data from the possibility of an attacker causing the application to crash and analyzing a memory dump of the application for sensitive information.System AdministratorECCR-1, ECCR-2, ECCR-3

SV-17794r2_rule

APP3260

MEDIUM

The designer will ensure the application uses mechanisms assuring the integrity of all transmitted information (including labels and security parameters).

Data is subject to manipulation and other integrity related attacks whenever that data is transferred across a network. To protect data integrity during transmission, the application must implement mechanisms to ensure the integrity of all transmitted information. All transmitted information means that the protections are not restricted to just the data itself. Protection mechanisms must be extended to include data labels, security parameters or metadata if data protection requirements specify. Modern web application data transfer methods can be complex and are not necessarily just point to point in nature. Service Oriented Architecture (SOA) and RESTFUL web services allow for XML based application data to be transmitted in a manner similar to network traffic wherein the application data is transmitted along multiple servers hops. In such cases, point to point protection methods like TLS or SSL may not be the best choice for ensuring data integrity and alternative data integrity protection methods like XML Integrity Signature protections where the XML payload itself is signed may be required as part of the application design. Overall application design and architecture must always be taken into account when establishing data integrity protection mechanisms. Custom-developed solutions that provide a file transfer capability should implement data integrity checks for incoming and outgoing files. Transmitted information requires mechanisms to ensure the data integrity (e.g. digital signatures, SSL, TLS or cryptographic hashing). System AdministratorECTM-2, ECTM-1

SV-17795r1_rule

APP3310

HIGH

The designer will ensure the application does not display account passwords as clear text.

Passwords being displayed in clear text can be easily seen by casual observers. Password masking should be employed so any casual observers cannot see passwords on the screen as they are being typed.System AdministratorIAIA-1

SV-17796r1_rule

APP3330

HIGH

The designer will ensure the application transmits account passwords in an approved encrypted format.

Passwords transmitted in clear text or with an unapproved format are vulnerable to network protocol analyzers. These passwords acquired with the network protocol analyzers can be used to immediately access the application.System AdministratorECCT-1

SV-17797r1_rule

APP3340

HIGH

The designer will ensure the application stores account passwords in an approved encrypted format.

Passwords stored without encryption or with weak, unapproved, encryption can easily be read and unencrypted. These passwords can then be used for immediate access to the application.System AdministratorIAIA-2, IAIA-1

SV-17798r1_rule

APP3360

MEDIUM

The designer will ensure the application protects access to authentication data by restricting access to authorized users and services.

If authentication is not properly restricted using access controls list, unauthorized users of the server where the authentication data is stored may be able to use the authentication data to access unauthorized servers or services.System AdministratorECCD-1

SV-17799r1_rule

APP3370

MEDIUM

The designer will ensure the application installs with unnecessary accounts disabled, or deleted, by default.

Unnecessary accounts should be disabled to limit the number of entry points for attackers to gain access to the system. Removing unnecessary accounts also limits the number of users and passwords the system administrator must maintain.System AdministratorIAIA-1

SV-17800r1_rule

APP3390

HIGH

The designer will ensure users’ accounts are locked after three consecutive unsuccessful logon attempts within one hour.

If user accounts are not locked after a set number of unsuccessful logins, attackers can infinitely retry user password combinations providing immediate access to the application.ECLO-1, ECLO-2

SV-17801r1_rule

APP3400

MEDIUM

The designer will ensure locked users’ accounts can only be unlocked by the application administrator.

User accounts should only be unlocked by the user contacting an administrator, and making a formal request to have the account reset. Accounts that are automatically unlocked after a set time limit, allow potential attackers to retry possible user password combinations without knowledge of the user or the administrator.System AdministratorECLO-1

SV-17802r1_rule

APP3415

MEDIUM

The designer will ensure the application provides a capability to automatically terminate a session and log out after a system defined session idle time limit is exceeded.

In the event a user does not log out of the application, the application should automatically terminate the session and log out; otherwise, subsequent users of a shared system could continue to use the previous user's session to the application.System AdministratorECLO-1

SV-17803r1_rule

APP3450

MEDIUM

The designer and IAO will ensure application resources are protected with permission sets which allow only an application administrator to modify application resource configuration files.

If application resources are not protected with permission sets that allow only an application administrator to modify application resource configuration files, unauthorized users can modify configuration files allowing these users to capture data within the application, or turn off encryption, or change any configurable option in the application.ECCD-1

SV-17804r1_rule

APP3460

HIGH

The designer will ensure the application does not rely solely on a resource name to control access to a resource.

Application access control decisions should be based on authentication of users. Resource names alone can be spoofed allowing access control mechanisms to be bypassed giving immediate access to the application.
System AdministratorDCSQ-1

SV-17806r1_rule

APP3530

MEDIUM

The designer will ensure the web application assigns the character set on all web pages.

For web applications, setting the character set on the web page reduces the possibility of receiving unexpected input that uses other character set encodings by the web application.System AdministratorDCSQ-1

SV-17807r1_rule

APP3540

HIGH

The designer will ensure the application is not vulnerable to SQL Injection, uses prepared or parameterized statements, does not use concatenation or replacement to build SQL queries, and does not directly access the tables in a database.

SQL Injection can be used to bypass user login to gain immediate access to the application and can also be used to elevate privileges with an existing user account.DCSQ-1, ECCD-1

SV-17808r1_rule

APP3550

HIGH

The designer will ensure the application is not vulnerable to integer arithmetic issues.

Integer overflows occur when an integer has not been properly checked and is used in memory allocation, copying, and concatenation. Also, when incrementing integers past their maximum possible value, it could potentially become a very small or negative number. Integer overflows can lead to infinite looping when loop index variables are compromised and cause a denial of service. If the integer is used in data references, the data can become corrupt. Also, using the integer in memory allocation can cause buffer overflows, and a denial of service. Integers used in access control mechanisms can potentially trigger buffer overflows, which can be used to execute arbitrary code. DCSQ-1

SV-17809r1_rule

APP3560

HIGH

The designer will ensure the application does not contain format string vulnerabilities.

Format string vulnerabilities usually occur when unvalidated input is entered and is directly written into the format string used to format data in the print style family of C/C++ functions. If an attacker can manipulate a format string, this may result in a buffer overflow causing a denial of service for the application. Format string vulnerabilities may lead to information disclosure vulnerabilities. Format string vulnerabilities may be used to execute arbitrary code. System AdministratorDCSQ-1

SV-17810r1_rule

APP3570

HIGH

The designer will ensure the application does not allow command injection.

A command injection attack, is an attack on a vulnerable application where improperly validated input is passed to a command shell setup in the application. A command injection allows an attacker to execute their own commands with the same privileges as the application executing. Command injection allows immediate access to the system where the application is executing.
System AdministratorDCSQ-1

SV-17811r1_rule

APP3580

HIGH

The designer will ensure the application does not have cross site scripting (XSS) vulnerabilities.

XSS vulnerabilities exist when an attacker uses a trusted website to inject malicious scripts into applications with improperly validated input.
System AdministratorDCSQ-1

SV-17812r1_rule

APP3600

MEDIUM

The designer will ensure the application has no canonical representation vulnerabilities.

Canonical representation issues arise when the name of a resource is used to control resource access. There are multiple methods of representing resource names on a computer system. An application relying solely on a resource name to control access may incorrectly make an access control decision if the name is specified in an unrecognized format.System AdministratorDCSQ-1

SV-17813r1_rule

APP3610

HIGH

The designer will ensure the application does not use hidden fields to control user access privileges or as a part of a security mechanism.

Using hidden fields to pass data in forms is very common. However, hidden fields can be easily manipulated by users. Hidden fields used to control access decisions can lead to a complete compromise of access control mechanism allowing immediate anonymous user access. System AdministratorDCSQ-1

SV-17814r1_rule

APP3620

MEDIUM

The designer will ensure the application does not disclose unnecessary information to users.

Applications should not disclose information not required for the transaction. (e.g., a web application should not divulge the fact there is a SQL server database and/or its version) This provides attackers additional information which they can use to find other attack avenues, or tailor specific attacks, on the application.System AdministratorECCD-1

SV-17815r1_rule

APP3630

MEDIUM

The designer will ensure the application is not vulnerable to race conditions.

A race condition occurs when an application receives two or more actions on the same resource in an unanticipated order which causes a conflict. Sometimes, the resource is locked by different users or functions within the application creating a deadlock situation.
System AdministratorDCSQ-1

SV-17816r1_rule

APP3640

MEDIUM

The designer will ensure the application supports the creation of transaction logs for access and changes to the data.

Without required logging and access control, security issues related to data changes will not be identified. This could lead to security compromises such as data misuse, unauthorized changes, or unauthorized access.System AdministratorECCD-2

SV-17817r1_rule

APP3660

LOW

The designer will ensure the application has a capability to notify the user of important login information.

Attempted logons must be controlled to prevent password guessing exploits and unauthorized access attempts. System AdministratorECLO-2

SV-17818r1_rule

APP3670

MEDIUM

The designer will ensure the application has a capability to display the user’s time and date of the last change in data content.

Without access control mechanisms in place, the data is not secure. The time and date display of data content change provides an indication that the data may have been accessed by unauthorized persons, and It may have been compromised, misused, or changed.System AdministratorECCD-2

SV-17819r1_rule

APP3750

MEDIUM

The designer will ensure development of new mobile code includes measures to mitigate the risks identified.

New mobile code types may introduce unknown vulnerabilities if a risk assessment is not completed prior to the use of mobile code. System AdministratorDCMC-1

SV-17820r1_rule

APP4010

LOW

The Release Manager will ensure the access privileges to the configuration management (CM) repository are reviewed every 3 months.

Incorrect access privileges to the CM repository can lead to malicious code or unintentional code being introduced into the application.System AdministratorECPC-1, ECPC-2

SV-17822r1_rule

APP4030

MEDIUM

The Release Manager will develop an SCM plan describing the configuration control and change management process of objects developed and the roles and responsibilities of the organization.

Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan, code releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application.
System AdministratorDCPR-1, DCSW-1

SV-17823r1_rule

APP4040

MEDIUM

The Release Manager will establish a Configuration Control Board (CCB), that meets at least every release cycle, for managing the CM process.

Software Configuration Management (SCM) is very important in tracking code releases, baselines, and managing access to the configuration management repository. The SCM plan identifies what should be under configuration management control. Without an SCM plan code, and a CCB, releases can be tracked and vulnerabilities can be inserted intentionally or unintentionally into the code base of the application.
System AdministratorDCCB-1, DCCB-2

SV-17824r1_rule

APP5010

LOW

The Test Manager will ensure at least one tester is designated to test for security flaws in addition to functional testing.

If there is no person designated to test for security flaws, vulnerabilities can potentially be missed during testing.Information Assurance ManagerDCSQ-1

SV-17825r1_rule

APP5040

MEDIUM

The Test Manager will ensure the changes to the application are assessed for IA and accreditation impact prior to implementation.

IA assessment of proposed changes is necessary to ensure security integrity is maintained within the application.DCII-1

SV-17826r1_rule

APP5050

MEDIUM

The Test Manager will ensure tests plans and procedures are created and executed prior to each release of the application or updates to system patches.

Without test plans and procedures for application releases or updates, unexpected results may occur which could lead to a denial of service to the application or components.System AdministratorDCCT-1

SV-17827r1_rule

APP5060

MEDIUM

The Test Manager will ensure test procedures are created and at least annually executed to ensure system initialization, shutdown, and aborts are configured to ensure the system remains in a secure state.

Secure state assurance cannot be accomplished without testing the system state at least annually to ensure the system remains in a secure state upon intialization, shutdown and abort.System AdministratorDCSS-2

SV-17828r1_rule

APP5070

LOW

The Test Manager will ensure code coverage statistics are maintained for each release of the application.

Code coverage statistics describes the how much of the source code has been executed based on the test procedures.
System AdministratorDCSQ-1

SV-53700r1_rule

APP5080

MEDIUM

The Test Manager will ensure a code review is performed before the application is released.

A code review is a systematic evaluation of computer source code conducted for the purposes of identifying and remediating security flaws. Examples of security flaws include but are not limited to format string exploits, memory leaks, buffer overflows or race conditions. The code review is usually conducted during the application development phase, this allows discovered security issues to be corrected prior to release. A code review can also be performed after the development phase, however, in all instances identified errors must go back to development for correction so conducting the code review during development is the logical and preferred action. Automated code review tools are to be used whenever reviewing application source code. These tools are often incorporated into many Integrated Development Environments (IDE) so code reviews can be conducted during all stages of the development life cycle. Periodically reviewing code during the development phase makes transition to a production environment easier as flaws are continually identified and addressed during the development phase rather than en masse at the end of the development effort.
Code review processes and the tools used to conduct the code review analysis will vary depending upon application architecture and the development languages utilized.
In addition to automated testing, manual code reviews may also be used to validate or augment automated code review results. Larger projects will have a large code base and will require the use of automated code review tools in order to achieve complete code review coverage.
A manual code review may consist of a peer review wherein other programmers on the team manually examine source code and automated code review results for known flaws that introduce security bugs into the application.
As with any testing, there is no single best approach and the tests must be tailored to the application architecture. Use of automated tools along with manual review of code and testing results is considered a best practice when conducting code reviews. This method is the most likely way to ensure the maximum number of errors are caught and addressed prior to implementing the application in a production environment.
For a list of tools that can be used for source code review, please reference http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html.
Please note that reference to these tools does not imply that they have been tested and approved for use by DISA.
System AdministratorSystems ProgrammerDCSQ-1

SV-17830r1_rule

APP5090

MEDIUM

The Test Manager will ensure flaws found during a code review are tracked in a defect tracking system.

If flaws are not tracked they may possibly be forgotten to be included in a release. Tracking flaws in the configuration management repository will help identify code elements to be changed, as well as the requested change.
System AdministratorDCSQ-1

SV-55789r2_rule

APP5100

MEDIUM

The IAO will ensure active vulnerability testing is performed.

Use of automated scanning tools accompanied with manual testing/validation which confirms or expands on the automated test results is an accepted best practice when performing application security testing. Automated scanning tools expedite and help to standardize security testing, they can incorporate known attack methods and procedures, test for libraries and other software modules known to be vulnerable to attack and utilize a test method known as "fuzz testing". Fuzz testing is a testing process where the application is provided invalid, unexpected, or random data. Poorly designed and coded applications will become unstable or crash. Properly designed and coded applications will reject improper and unexpected data input from application clients and remain stable.
Many vulnerability scanning tools provide automated fuzz testing capabilities for the testing of web applications. All of these tools help to identify a wide range of application vulnerabilities including, but not limited to; buffer overflows, cross-site scripting flaws, denial of service format bugs and SQL injection, all of which can lead to a successful compromise of the system or result in a denial of service.
Due to changes in the production environment, it is a good practice to schedule periodic active testing of production web applications. Ideally, this will occur prior to deployment and after updates or changes to the application production environment.
It is imperative that automated scanning tools are configured properly to ensure that all of the application components that can be tested are tested. In the case of web applications, some of the application code base may be accessible on the web site and could potentially be corrected by a knowledgeable system administrator. Active testing is different from code review testing in that active testing does not require access to the application source code base. A code review requires complete code base access and is normally performed by the development team.
If vulnerability testing is not conducted, there is the distinct potential that security vulnerabilities could be unknowingly introduced into the application environment.
The following website provides an overview of fuzz testing and examples:
http://www.owasp.org/index.php/Fuzzing
The following website provides information on web application vulnerability scanner tools. Reference the “Related Links” section at the bottom of the page for a list of available commercial and open source tools.
http://samate.nist.gov/index.php/Web_Application_Vulnerability_Scanners.html
Please note that reference to these tools does not imply that they have been tested and approved for use by DISA.
System AdministratorInformation Assurance OfficerDCSQ-1

SV-17832r1_rule

APP5110

MEDIUM

The Test Manager will ensure security flaws are fixed or addressed in the project plan.

If security flaws are not tracked, they may possibly be forgotten to be included in a release. Tracking flaws in the project plan will help identify code elements to be changed as well as the requested change.
System AdministratorDCSQ-1

SV-17833r1_rule

APP6010

MEDIUM

The IAO will ensure if an application is designated critical, the application is not hosted on a general purpose machine.

Critical applications should not be hosted on a multi-purpose server with other applications. Applications that share resources are susceptible to the other shared application security defects. Even if the critical application is designed and deployed securely, an application that is not designed and deployed securely, can cause resource issues and possibly crash effecting the critical application.
System AdministratorDCSQ-1

SV-17834r1_rule

APP6020

MEDIUM

The IAO shall ensure if a DoD STIG or NSA guide is not available, a third-party product will be configured by the following in descending order as available: 1) commercially accepted practices, (2) independent testing results, or (3) vendor literature.

Not all COTS products are covered by a STIG. Those products not covered by a STIG, should be minimally configured to vendors recommendation guidelines.
System AdministratorDCCS-1

SV-17835r1_rule

APP6040

MEDIUM

The IAO will ensure at least one application administrator has registered to receive update notifications, or security alerts, when automated alerts are available.

Administrators should register for updates to all COTS and custom developed software, so when security flaws are identified, they can be tracked for testing and updates of the application can be applied.
DCCT-1

SV-17836r1_rule

APP6050

MEDIUM

The IAO will ensure the system and installed applications have current patches, security updates, and configuration settings.

Due to viruses, worms, Trojans, and other malicious software, in addition to inevitable
weaknesses in code, the necessity to patch critical vulnerabilities is paramount. As part of the
general practice of performing application or system administration, it is imperative that security vulnerabilities from the vendor are monitored and patches are tested and applied.System AdministratorDCCT-1

SV-55087r1_rule

APP6060

HIGH

The IAO will ensure the application is decommissioned when maintenance or support is no longer available.

When maintenance no longer exists for an application, there are no individuals responsible for providing security updates. The application is no longer supported, and should be decommissioned.
System AdministratorECSC-1, DCSD-1

SV-17838r1_rule

APP6070

LOW

Procedures are not in place to notify users when an application is decommissioned.

When maintenance no longer exists for an application, there are no individuals responsible for making security updates. The application should maintain procedures for decommissioning.
System AdministratorDCSD-1

SV-17839r1_rule

APP6080

MEDIUM

The IAO will ensure protections against DoS attacks are implemented.

Known threats documented in the threat model should be mitigated, to prevent DoS type attacks.
System AdministratorDCSQ-1

SV-17840r1_rule

APP6090

LOW

The IAO will ensure the system alerts an administrator when low resource conditions are encountered.

In order to prevent DoS type attacks, applications should be monitored when resource conditions reach a predefined threshold indicating there may be attack occurring.System AdministratorECAT-2

SV-17841r1_rule

APP6110

LOW

The IAO will review audit trails periodically based on system documentation recommendations or immediately upon system security events.

Without access control the data is not secure. It can be compromised, misused, or changed by unauthorized access at any time.ECCD-2

SV-17842r1_rule

APP6120

MEDIUM

The IAO will report all suspected violations of IA policies in accordance with DoD information system IA procedures.

All potential sources are monitored for suspected violations of IA policies. If there are not policies regarding the reporting of IA violations, some IA violations may not be tracked or dealt with in a proper manner.
System AdministratorECAT-2

SV-17843r1_rule

APP6130

LOW

The IAO will ensure, for classified systems, application audit trails are continuously and automatically monitored, and alerts are provided immediately when unusual or inappropriate activity is detected.

For critical and classified systems, an automated, continuous on-line monitoring and audit trail creation capability must be deployed with the capability to immediately alert personnel of any unusual or inappropriate activity with potential IA implications, and with a user configurable capability to automatically disable the system if serious IA violations are detected. This protects the system from serious data compromises. ECAT-2

SV-17844r1_rule

APP6170

MEDIUM

The IAO will ensure back-up copies of the application software are stored in a fire-rated container and not collocated with operational software.

Inadequate back-up software or improper storage of back-up software can result in extended outages of the information system in the event of a fire or other situation that results in destruction of the operating copy.System AdministratorCOSW-1

SV-17845r1_rule

APP6180

MEDIUM

The IAO will ensure procedures are in place to assure the appropriate physical and technical protection of the backup and restoration of the application.

Protection of backup and restoration assets is essential for the successful restore of operations after a catastrophic failure or damage to the system or data files. Failure to follow proper procedures may result in the permanent loss of system data and/or the loss of system capability resulting in failure of the customers mission.System AdministratorCOBR-1

SV-17846r1_rule

APP6200

MEDIUM

The IAO will ensure a disaster recovery plan exists in accordance with DoD policy based on the Mission Assurance Category (MAC).

Well thought out recovery plans are essential for system recovery and/or business restoration in the event of catastrophic failure or disaster.System AdministratorCODP-3, CODB-2, CODB-1

SV-17847r1_rule

APP6210

MEDIUM

The IAO will ensure an account management process is implemented, verifying only authorized users can gain access to the application, and individual accounts designated as inactive, suspended, or terminated are promptly removed.

A comprehensive account management process will ensure that only authorized users can gain access to applications and that individual accounts designated as inactive, suspended, or terminated are promptly deactivated. Such a process greatly reduces the risk that accounts will be misused, hijacked, or data compromised.System AdministratorIAAC-1

SV-17848r1_rule

APP6220

HIGH

The IAO will ensure passwords generated for users are not predictable and comply with the organization's password policy.

Predictable passwords may allow an attacker to gain immediate access to new user accounts which would result in a loss of integrity.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
System AdministratorIAIA-2, IAIA-1

SV-17849r1_rule

APP6230

MEDIUM

The IAO will ensure the application's users do not use shared accounts.

Group or shared accounts for application access may be used only in conjunction with an individual authenticator. Group accounts do not allow for proper auditing of who is accessing the application and security incidents cannot be attributed to specific individuals. System AdministratorIAGA-1

SV-17850r1_rule

APP6270

MEDIUM

The IAO will ensure connections between the DoD enclave and the Internet or other public or commercial wide area networks require a DMZ.

In order to protect DoD data and systems, all remote access to DoD information systems must be mediated through a managed access control point, such as a remote access server in a DMZ.
System AdministratorEBPW-1

SV-21828r1_rule

APP6280

HIGH

The IAO will ensure web servers are on logically separate network segments from the application and database servers if it is a tiered application.

Web servers should be on logically separated network segments from the application and database servers in order to provide different levels and types of defenses for each type of server. Failure to comply would result in an immediate loss of confidentiality.
This requirement to this STIG was added at the request of the DoD DMZ PM. The goal is to ensure this requirement is addressed as the application is being developed. This requirement and severity was previously approved by the DSAWG in the Internet-NIPRNet DoD DMZ Inrecrement 1, Phase 1 STIG.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
DCPA-1

SV-21829r1_rule

APP6290

HIGH

The designer and the IAO will ensure physical operating system separation and physical application separation is employed between servers of different data types in the web tier of Increment 1/Phase 1 deployment of the DoD DMZ for Internet-facing applications.

Restricted and unrestricted data residing on the same server may allow unauthorized access which would result in a loss of integrity and possibly the availability of the data.
This requirement to this STIG was added at the request of the DoD DMZ PM. The goal is to ensure this requirement is addressed as the application is being developed. This requirement and severity was previously approved by the DSAWG in the Internet-NIPRNet DoD DMZ Increment 1, Phase 1 STIG.
*This requirement does not apply to SIPRNet DMZs.
DCPA-1

SV-21830r1_rule

APP3760

MEDIUM

The designer will ensure web services are designed and implemented to recognize and react to the attack patterns associated with application-level DoS attacks.

Because of potential denial of service, web services should be designed to recognize potential attack patterns.
DCSQ-1

SV-21831r2_rule

APP3770

MEDIUM

The designer will ensure the web service design includes redundancy of critical functions.

Because of potential denial of service, web services should be designed to be redundant.
DCSQ-1

SV-21832r1_rule

APP3780

MEDIUM

The designer will ensure web service design of critical functions is implemented using different algorithms to prevent similar attacks from forming a complete application level DoS.

Denial of service attacks could occur if web services use the same algorithm for all critical features. An algorithm is defined as: an effective method expressed as a finite list of well-defined instructions. Combining a large array of varying, unrelated functionality into a single web service increases the chances that the service may become susceptible to a DoS attack which could affect not only the individual service, but the entire application as well.
DCSQ-1

SV-21833r1_rule

APP3790

MEDIUM

The designer will ensure web services are designed to prioritize requests to increase availability of the system.

Because of potential denial of service, web services should be designed to prioritize web service requests.
DCSQ-1

SV-21834r1_rule

APP3800

MEDIUM

The designer will ensure execution flow diagrams are created and used to mitigate deadlock and recursion issues.

To prevent web services from becoming deadlocked, an execution flow diagram should be documented.
DCSQ-1

SV-21835r1_rule

APP6300

MEDIUM

The IAO will ensure an XML firewall is deployed to protect web services.

Web Services are vulnerable to many types of attacks. XML based firewalls can be used to prevent common attacks.
DCSQ-1

SOAP messages should be designed so duplicate messages are detected.
Replay attacks may lead to a loss of confidentiality and potentially a loss of availability
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
DCSQ-1

SV-21837r1_rule

APP3830

MEDIUM

The designer and IAO will ensure digital signatures exist on UDDI registry entries to verify the publisher.

UDDI registries must provide digital signatures for verification of integrity of the publisher of each web service contained within the registry. Users publishing to the UDDI repository could potentially setup multiple fraudulent web services without a digital signature associated with each web service.
DCSQ-1

SV-21838r1_rule

APP3840

MEDIUM

The designer and IAO will ensure UDDI versions are used supporting digital signatures of registry entries.

UDDI repositories must provide the capability to support digital signatures. Without the capability to support digital signatures, web service users cannot verify the integrity of the UDDI registry.
DCSQ-1

SV-21839r1_rule

APP3850

MEDIUM

The designer and IAO will ensure UDDI publishing is restricted to authenticated users.

Ficticious or false entries could result if someone other than an authenticated user is able to create or modify the UDDI registry. The data integrity would be questionable if anonymous users are able to write to the repository.DCSQ-1

SV-21840r1_rule

APP6310

MEDIUM

The IAO will ensure web service inquiries to UDDI provide read-only access to the registry to anonymous users.

If modification of UDDI registries are allowed by anonymous users, UDDI registries can be corrupted, or potentially be hijacked.
ECLP-1

SV-21841r1_rule

APP6320

MEDIUM

The IAO will ensure if the UDDI registry contains sensitive information and read access to the UDDI registry is granted only to authenticated users.

If a UDDI registry contains sensitive data, the repository should require authentication to read the UDDI data repository. If the repository does not require authentication, the UDDI data repository will be accessed by anonymous users.
ECCR-2, ECCR-1

Digitally signed SOAP messages provide message integrity and authenticity of the signer of the message independent of the transport layer. Service requests may be intercepted and changed in transit and the data integrity may be at risk if the SOAP message is not digitally signed.
ECTM-1

SV-55089r1_rule

APP3870

HIGH

The designer will ensure when using WS-Security, messages use timestamps with creation and expiration times.

The lack of timestamps could lead to the eventual replay of the message, leaving the application susceptible to replay events which may result in an immediate loss of confidentiality.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
IAIA-2, ECTM-2

SV-21844r1_rule

APP3880

HIGH

The designer will ensure validity periods are verified on all messages using WS-Security or SAML assertions.

When using WS-Security in SOAP messages, the application should check the validity of the timestamps with creation and expiration times. Unvalidated timestamps may lead to a replay event and provide immediate unauthorized access of the application. Unauthorized access results in an immediate loss of confidentiality.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
IAIA-2

SAML assertion identifiers should be unique across a server implementation. Duplicate SAML assertion identifiers could lead to unauthorized access to a web service.
IAIA-2

SV-21846r1_rule

APP3900

MEDIUM

The designer shall ensure encrypted assertions, or equivalent confidentiality protections, when assertion data is passed through an intermediary, and confidentiality of the assertion data is required to pass through the intermediary.

The confidentially of the data in a message as the message is passed through an intermediary web service may be required to be restricted by the intermediary web service. The intermediary web service may leak or distribute the data contained in a message if not encrypted or protected.
IAIA-2

SV-21847r1_rule

APP3960

MEDIUM

The designer will ensure the application is compliant with all DoD IT Standards Registry (DISR) IPv6 profiles.

If the application has not been upgraded to execute on an IPv6-only network, there is a possibility the application will not execute properly, and as a result, a denial of service could occur.
DCSQ-1

SV-21848r1_rule

APP3970

MEDIUM

The designer will ensure supporting application services and interfaces have been designed, or upgraded for, IPv6 transport.

If the application's supporting services (e.g., software update, security update, driver updating, and automatic patching services) have not been updated to retrieve updates over a IPv6 network connection, there is a possibility the application will not execute properly, and as a result, a denial of service could occur.
DCSQ-1

SV-21849r1_rule

APP3980

MEDIUM

The designer will ensure the application is compliant with IPv6 multicast addressing and features an IPv6 network configuration options as defined in RFC 4038.

If the application has not been updated to IPv6 multicast features, there is a possibility the application will not execute properly and as a result, a denial of service could occur.
DCSQ-1

SV-21850r1_rule

APP3990

MEDIUM

The designer will ensure the application is compliant with the IPv6 addressing scheme as defined in RFC 1884.

If the application is not compliant with the IPv6 addressing scheme, the entry of IPv6 formats that are 128 bits long or hexadecimal notation including colons, could result in buffer overflows compromising the application and creating additional attack vectors.
DCSQ-1

SV-23682r1_rule

APP3810

HIGH

The designer will ensure the application is not vulnerable to XML Injection.

XML injection results in an immediate loss of “integrity” of the data.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
System AdministratorDCSQ-1

SV-23685r1_rule

APP3585

MEDIUM

The designer will ensure the application does not have CSRF vulnerabilities.

Cross Site Request Forgery (CSRF) is an attack where an end user is previously authenticated to a specific website and the user through social engineering (e.g., e-mail or chat) launches a hyperlink which executes unwanted actions on a website. A CSRF attack may execute any web site request on behalf of the user leading to compromise of the user’s data.System AdministratorDCSQ-1

SV-23731r1_rule

APP2135

HIGH

The Program Manager will ensure all products are supported by the vendor or the development team.

Unsupported software products should not be used because of the unknown potential vulnerabilities.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
Unsupported software where there is no documented acceptance of DAA risk.
System AdministratorDCSQ-1

SV-55088r1_rule

APP3910

HIGH

The designer shall use the NotOnOrAfter condition when using the SubjectConfirmation element in a SAML assertion.

When a SAML assertion is used with a element, a begin and end time for the should be set to prevent reuse of the message at a later time. Not setting a specific time period for the , may grant immediate access to an attacker and results in an immediate loss of confidentiality.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
Information Assurance OfficerDCSQ-1

SV-25355r1_rule

APP3920

HIGH

The designer shall use both the <NotBefore> and <NotOnOrAfter> elements or <OneTimeUse> element when using the <Conditions> element in a SAML assertion.

When a SAML assertion is used with a element, a begin and end time for the element should be set to prevent reuse of the message at a later time. Not setting a specific time period for the element, the possibility exists of granting immediate access or elevated privileges to an attacker which result in an immediate loss of confidentiality.
Any vulnerability associated with a DoD Information system or system enclave, the exploitation of which, by a risk factor, will directly and immediately result in loss of Confidentiality, Availability or Integrity of the system
associated data.
Information Assurance OfficerDCSQ-1

SV-25356r1_rule

APP3940

MEDIUM

The designer will ensure the asserting party uses FIPS approved random numbers in the generation of SessionIndex in the SAML element AuthnStatement.

A predictable SessionIndex could lead to an attacker computing a future SessionIndex, thereby, possibly compromising the application.System AdministratorDCSQ-1

SV-25357r1_rule

APP3950

MEDIUM

The designer shall ensure messages are encrypted when the SessionIndex is tied to privacy data.

When the SessionIndex is tied to privacy data (e.g., attributes containing privacy data) the message should be encrypted. If the message is not encrypted there is the possibility of compromise of privacy data.System AdministratorECNK-1

SV-25358r1_rule

APP3930

MEDIUM

The designer shall ensure if a OneTimeUse element is used in an assertion, there is only one used in the Conditions element portion of an assertion.

Multiple OneTimeUse elements used in a SAML assertion can lead to elevation of privileges, if the application does not process SAML assertions correctly.System AdministratorDCSQ-1

When application code and binaries are transferred from one environment to another, there is the potential for malware to be introduced into either the application code or even the application binaries themselves. Care must be taken to ensure that application code and binaries are validated for integrity prior to deployment into a production environment.
To ensure file integrity, application files and/or application packages are cryptographically hashed using a strong hashing algorithm. Comparing hashes after transferring the files makes it possible to detect changes in files that could indicate potential integrity issues with the application.
Currently, SHA256 is the DoD approved standard for cryptographic hash functions. DoD application developers must use SHA256 when creating cryptographic hashes, however, some non-DoD vendors might still use MD5 or SHA1 when generating a checksum hash for their application packages. It is important to use the same algorithms when validating the hash. If a non DoD vendor uses SHA1 when hashing their files, you must use SHA1 to validate the hash. Otherwise, the hashes will not match and a false positive indication of tampering will result.
Prior to release of the application receiving an ATO/IATO for deployment into a DoD operational network, the application must be validated for integrity to ensure no tampering of source code or binaries has occurred. Failure to validate the integrity of application code and/or application binaries prior to deploying an application into a production environment may compromise the operational network.System AdministratorDCSQ-1